Starting 24 July – think of it as the Google Chrompocalypse – that “transactional” vs. “everything else” difference comes to a decisive end. As of Tuesday, all HTTP pages will be slapped with the “not secure” label, regardless of whether they’re transactional or not.

How important is it? In some ways, not very. The world won’t end. A lot of alarm-fatigued people will probably learn to ignore the little “not secure” message, if they had ever bothered to check the address bar for it to begin with.

On the other hand, it is important, because of a few things. First off, at long last, it ushers in the much-heralded reversal of what’s considered “exceptional”.

For more than a decade, the browser address bar has been the place where we all (hopefully!) looked to see whether the site we were visiting had the reassuring “Secure” padlock, letting us know that the pages we were about to view were coming to us over a secure connection. That padlock let us know that nobody else on the web could intercept the information we exchanged with a given site.

Then too, of course, the address bar also showed us the “not secure” red warning triangle. Really, with all these icons, it was getting a bit crowded up there, as we noted recently.

In its ongoing efforts to make encrypted – i.e., HTTPS – web connections the norm, as opposed to the exception, we can all welcome Chrome version 68, the stable version of which is due on Tuesday.

With Chrome 68, Google takes one more step toward streamlining that address bar, moving to the point where it only informs users when a site is insecure. It gets better from here: Starting with Chrome version 69, due 4 Sept., the “Secure” label will disappear from HTTPS sites, and the green padlock will turn grey.

At some point after that, the padlock will go “Poof!”, completely disappearing from the address bar, leaving it empty save for the URL. No more telling us when something is good (HTTPS). We’ll just be told when it’s bad (HTTP).

Now, we’re moving toward a place where HTTPS is a given. But will it solve all security threats?

Of course not. There’s nothing stopping crooks from using HTTPS on scam sites or phishing sites, after all.

We still have to be careful. We’re not putting our tinfoil hats away in the closet just yet. But we’re waving a hearty hello to Chrome 68 just the same: it’s one important stepping stone on the road to a more secure web.

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

I think they should change the language from “secure / not secure” to ” encrypted / not encrypted ” it just seems to apply better to what’s going on here. How many sites running valid SSL certs are portals for various types of criminal activity, or once you feed them your data, it has no security beyond that point.

HTTPS says nothing conclusive about the security of the *site*, anyway, at least in the sense of site = web server plus plugins plus HTML plus CSS plus JavaScript plus back-end code. HTTPS just means various cryptographic protocols are used in the *transport* (the T in TLS!), and doesn’t say anything about the content that gets delivered.

I’m OK with describing an HTTP-only site as “insecure” on the grounds that it’s not trying hard enough, but allowing people to infer that whole sites are “secure” entirely because they send and receive data via TLS is a bit like saying that your laptop “must be virus-free because you have turned on full disk encryption”.

After GDPR, Google will now criy “wolf” at every little change. Use a new laptop, a new internet provider, use your friend’s network, use your mobile phone Google will claim that your security has been compromised and someone else has signed in to your account. Along with the cookie changes, this is just irritating and annoying.

I am angry about this change – not because of any political meaning but because of how satisfying it was to see that little green padlock I spent countless hours of bug-fixing to achieve every time I went to my website. I feel bad for future developers after the complete removal of the padlock who won’t feel the satisfaction I did upon seeing that badge of success on their website.

My Firefox still has a green padlock. I’ve never liked Chrome – don’t know why, it’s a visual thing combined with a nagging sense that if I use Google for search (and I do) then I might as well choose a different vendor for each of personal email, mobile telephony and browsing. So at least some of us will join you in your sense of just rewards :-)